The qualities demanded of a GRC professional

Written by Paul Eccleson on Friday July 23, 2021

In this blog I’ll be taking a look at how and why the role profile of a governance, risk and compliance (GRC) professional is a challenging one. The mix of risk management, business strategy understanding, regulatory analysis and interpersonal influence required is daunting.[1] If that wasn’t a big enough ask, I’d add another essential requirement: being alert to, and overcoming, basic human tendencies in oneself that will get in the way of ‘doing the right thing’. An effective GRC practitioner must face problems rather than avoid them, hold to principles when it is easier to dodge them and challenge commonly accepted beliefs when needed. What psychological research tells us is that these qualities do not come naturally to us as humans.

We are, by nature, social beings, and our desire to identify with groups and to ‘fit in’ is incredibly strong. In a classic experiment, a group of 10 people was asked to choose a drawn line from a set of options that were the same length as an example line they had been shown. Nine of the group were ‘plants’ who had all been instructed to choose the same, but obviously incorrect, line. The subject was then asked to make their choice. The majority of subjects went with the (clearly erroneous) consensus. Such conformity is enhanced when the ‘correct’ choice is less clear, by strong association with a group and when encouraged to act in a particular way by authority. In short, when all pulling towards the same, vaguely defined, goal and with authority figures leading the way, following erroneous pathways is much more likely. This is exactly what we have – and is desired – in most organisations.

To make matters worse, when faced with a challenging situation that requires intervention, most people will choose not to get involved. This is especially true when there are a lot of people witnessing the problem. Such diffusion of responsibility makes it more likely that no action will be taken at all, by anyone. There are several barriers to intervention at play here. If non-compliance is accepted as just the ‘way we do things’, colleagues may be completely blind to the issue in the first place. The same non-compliant culture may also make people feel that there is no point in escalating issues – the organisation will not doing anything about it anyway. A mixture of poor culture and feelings of personal impotence will undermine any policies or expectations the GRC function might set.

If you're interested in this topic, you might also want to see: 

Sealing the deal for non-compliant behaviour is the human ability to morally disengage from our actions (or lack of action). I have focused in other articles for members of the ICA on the mechanisms people use to become comfortable with morally uncomfortable aspects of their own behaviour. We are masters of telling ourselves stories that reduce internal discomfort and allow us to sleep at night.

With this analysis, I am not concluding that humans are inherently ‘bad’ or ‘morally weak’. These natural tendencies can be used to enhance rather than compromise compliance. My intent is to illustrate the challenge that GRC professionals face in dealing with organisations and the internal challenges faced in containing their own natural tendencies.

Here are just a few personal words of encouragement based on what the psychological literature has to say about our GRC roles.

  • Be brave: your own internal voice is likely to be the same as everyone’s – ‘don’t get involved, go with the consensus and morally disengage from the consequences’. As GRC professionals our role is often the reverse of this – we will be the only person walking towards a problem and calling out the moral issues at its heart. Doing so, when it seems like the rest of the firm is against you, takes bravery.
  • Respect individuals: with the exception of a very small number of extreme personalities, people want to do the right thing. What has led to non-compliant behaviours is a complex recipe of imperfect processes, stretch goals, under resourced controls and a demanding work environment. These can be addressed and fixed with appropriate management focus and intent.
  • Be mindful of your own moral disengagement: it can be difficult to spot when you are justifying to yourself why you are ‘backing off’ rather than ‘facing’ an issue. It’s common to hear such phrases as ‘that’s the business’s responsibility’ or ‘it’s only a minor breach. We have bigger things to worry about’. Diffusion of responsibility and internally downplaying impacts are powerful psychological forces that you need to challenge yourself about.

The strength of character needed to overcome these natural human instincts makes me immensely proud of GRC professionals. We carry out responsibilities that are fundamentally just: championing AML controls because money laundering fuels hideous crimes in our society or bringing the ‘voice of the customer’ into conversations where the ‘voice of profit’ has been dominant. At its core, GRC is a human challenge. Understanding the behavioural drivers of both ourselves and others is a fundamental requirement of what we do.

I offer the following clarion call: Be brilliant. Be human. Be proud.



[1] The ICA provides a helpful infographic here:


This is the last article in Paul Eccleson's blog series entitled ‘The psychology of compliance’ for ICA. 

More from Paul Eccleson:

[Public content] 

[Members only content] 

‘Why, when they knew it was wrong, did they continue to break the rules?’ This is perhaps the question I’ve been most often asked in my career in risk and compliance.

    • How to build an effective code of conduct 

      At the heart of every robust and effective GRC framework is a code of conduct. The cornerstone of a firm’s culture, a code of conduct establishes the basic expectations of an organisation’s members, the duties and responsibilities which they must fulfil and the behaviours they are expected to exhibit.

    •  Cyber Security: Is “human error” really to blame

      90% of data breaches reported to the UK Information Commissioner’s Office (ICO) in 2019 could be attributed to ‘human error’, according to user awareness company CybSafe.

    • The compliance threats posed by Machine Learning

      Applications utilising artificial intelligence (AI) techniques to facilitate business processes are now offering firms the opportunity to automate functions once considered the sole domain of human intellect.

Becoming an ICA member will provide you with access to a wealth of resources on the ICA Continuous Learning portal.

Become a member ►


Please leave a comment

You can leave the name empty should you wish to remain Anonymous.

You are replying to post:



Email *

Comment *

Search posts

View posts by Author